Skip to content

Commit 2c619ab

Browse files
committed
Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into ip-acl-concepts
2 parents a5996d7 + 397fd41 commit 2c619ab

File tree

6 files changed

+84
-35
lines changed

6 files changed

+84
-35
lines changed

articles/healthcare-apis/.openpublishing.redirection.healthcare-apis.json

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -91,8 +91,8 @@
9191
"redirect_document_id": true
9292
},
9393
{
94-
"source_path_from_root": "/articles/healthcare-apis/configure-private-link.md",
95-
"redirect_url": "/azure/healthcare-apis/fhir/configure-private-link",
94+
"source_path_from_root": "/articles/healthcare-apis/healthcare-apis-configure-private-link.md",
95+
"redirect_url": "/azure/healthcare-apis/configure-private-link",
9696
"redirect_document_id": true
9797
},
9898
{
Lines changed: 22 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -1,18 +1,18 @@
11
---
2-
title: Private Link for Azure Health Data Services
3-
description: This article describes how to set up a private endpoint for Azure Health Data Services
2+
title: Configure Private Link for Azure Health Data Services
3+
description: Learn how to set up Private Link for secure access to Azure Health Data Services.
44
services: healthcare-apis
5-
author: chachachachami
5+
author: msjasteppe
66
ms.service: healthcare-apis
77
ms.subservice: fhir
88
ms.topic: reference
9-
ms.date: 06/06/2022
10-
ms.author: chrupa
9+
ms.date: 05/06/2024
10+
ms.author: jasteppe
1111
---
1212

1313
# Configure Private Link for Azure Health Data Services
1414

15-
Private Link enables you to access Azure Health Data Services over a private endpoint. Private Link is a network interface that connects you privately and securely using a private IP address from your virtual network. With Private Link, you can access our services securely from your VNet as a first party service without having to go through a public Domain Name System (DNS). This article describes how to create, test, and manage your Private Endpoint for Azure Health Data Services.
15+
Private Link enables you to access Azure Health Data Services over a private endpoint. Private Link is a network interface that connects you privately and securely using a private IP address from your virtual network. With Private Link, you can access our services securely from your virtual network as a first party service without having to go through a public Domain Name System (DNS). This article describes how to create, test, and manage your Private Endpoint for Azure Health Data Services.
1616

1717
>[!Note]
1818
> Neither Private Link nor Azure Health Data Services can be moved from one resource group or subscription to another once Private Link is enabled. To make a move, delete the Private Link first, and then move Azure Health Data Services. Create a new Private Link after the move is complete. Next, assess potential security ramifications before deleting the Private Link.
@@ -23,9 +23,9 @@ Private Link enables you to access Azure Health Data Services over a private end
2323

2424
Before you create a private endpoint, the following Azure resources must be created first:
2525

26-
- **Resource Group** – The Azure resource group that will contain the virtual network and private endpoint.
27-
- **Workspace**This is a logical container for FHIR and DICOM service instances.
28-
- **Virtual Network** – The VNet to which your client services and private endpoint will be connected.
26+
- **Resource Group** – The Azure resource group that contains the virtual network and private endpoint.
27+
- **Workspace**The logical container for FHIR® and DICOM® service instances.
28+
- **Virtual Network** – The virtual network to which your client services and private endpoint is connected.
2929

3030
For more information, see [Private Link Documentation](./../private-link/index.yml).
3131

@@ -35,7 +35,7 @@ To create a private endpoint, a user with Role-based access control (RBAC) permi
3535

3636
Private link is configured at the workspace level, and is automatically configured for all FHIR and DICOM services within the workspace.
3737

38-
There are two ways to create a private endpoint. Auto Approval flow allows a user that has RBAC permissions on the workspace to create a private endpoint without a need for approval. Manual Approval flow allows a user without permissions on the workspace to request a private endpoint to be approved by owners of the workspace or resource group.
38+
There are two ways to create a private endpoint. Auto Approval flow allows a user that has RBAC permissions on the workspace to create a private endpoint without a need for approval. Manual Approval flow allows a user without permissions on the workspace to request that owners of the workspace or resource group approve the private endpoint.
3939

4040
> [!NOTE]
4141
> When an approved private endpoint is created for Azure Health Data Services, public traffic to it is automatically disabled.
@@ -44,49 +44,47 @@ There are two ways to create a private endpoint. Auto Approval flow allows a use
4444

4545
Ensure the region for the new private endpoint is the same as the region for your virtual network. The region for the workspace can be different.
4646

47-
[![Screen image of the Azure portal Basics Tab.](media/private-link/private-link-basics.png)](media/private-link/private-link-basics.png#lightbox)
47+
:::image type="content" source="media/private-link/private-link-basics.png" alt-text="Screenshot showing image of the Azure portal Basics Tab.":::
4848

4949
For the resource type, search and select **Microsoft.HealthcareApis/workspaces** from the drop-down list. For the resource, select the workspace in the resource group. The target subresource, **healthcareworkspace**, is automatically populated.
5050

51-
[![Screen image of the Azure portal Resource tab.](media/private-link/private-link-resource.png)](media/private-link/private-link-resource.png#lightbox)
51+
:::image type="content" source="media/private-link/private-link-resource.png" alt-text="Screenshot showing image of the Azure portal Resource tab.":::
5252

5353
### Manual approval
5454

5555
For manual approval, select the second option under Resource, **Connect to an Azure resource by resource ID or alias**. For the resource ID, enter **subscriptions/{subcriptionid}/resourceGroups/{resourcegroupname}/providers/Microsoft.HealthcareApis/workspaces/{workspacename}**. For the Target subresource, enter **healthcareworkspace** as in Auto Approval.
5656

57-
[![Screen image of the Manual Approval Resources tab.](media/private-link/private-link-resource-id.png)](media/private-link/private-link-resource-id.png#lightbox)
57+
:::image type="content" source="media/private-link/private-link-resource-id.png" alt-text="Screen image of the Manual Approval Resources tab.":::
5858

5959
### Private Link DNS configuration
6060

6161
After the deployment is complete, select the Private Link resource in the resource group. Open **DNS configuration** from the settings menu. You can find the DNS records and private IP addresses for the workspace, and FHIR and DICOM services.
6262

63-
[![Screen image of the Azure portal DNS Configuration.](media/private-link/private-link-dns-configuration.png)](media/private-link/private-link-dns-configuration.png#lightbox)
63+
:::image type="content" source="media/private-link/private-link-dns-configuration.png" alt-text="Screenshot showing image of the Azure portal DNS Configuration.":::
6464

6565
### Private Link Mapping
6666

67-
After the deployment is complete, browse to the new resource group that is created as part of the deployment. You'll see two private DNS zone records and one for each service. If you have more FHIR and DICOM services in the workspace, additional DNS zone records will be created for them.
67+
After the deployment is complete, browse to the new resource group that is created as part of the deployment. You should see two private DNS zone records and one for each service. If you have more FHIR and DICOM services in the workspace, more DNS zone records are created for them.
6868

69-
[![Screen image of Private Link FHIR Mapping.](media/private-link/private-link-fhir-map.png)](media/private-link/private-link-fhir-map.png#lightbox)
69+
:::image type="content" source="media/private-link/private-link-fhir-map.png" alt-text="Screenshot showing image of Private Link FHIR Mapping.":::
7070

71-
Select **Virtual network links** from the **Settings**. You'll notice the FHIR service is linked to the virtual network.
72-
73-
[![Screen image of Private Link VNet Link FHIR.](media/private-link/private-link-vnet-link-fhir.png)](media/private-link/private-link-vnet-link-fhir.png#lightbox)
71+
Select **Virtual network links** from the **Settings**. Notice that the FHIR service is linked to the virtual network.
7472

73+
:::image type="content" source="media/private-link/private-link-vnet-link-fhir.png" alt-text="Screenshot showing image of Private Link virtual network Link FHIR.":::
7574

7675
Similarly, you can see the private link mapping for the DICOM service.
7776

78-
[![Screen image of Private Link DICOM Mapping.](media/private-link/private-link-dicom-map.png)](media/private-link/private-link-dicom-map.png#lightbox)
77+
:::image type="content" source="media/private-link/private-link-dicom-map.png" alt-text="Screenshot showing image of Private Link DICOM Mapping.":::
7978

8079
Also, you can see the DICOM service is linked to the virtual network.
8180

82-
[![Screen image of Private Link VNet Link DICOM](media/private-link/private-link-vnet-link-dicom.png)](media/private-link/private-link-vnet-link-dicom.png#lightbox)
81+
:::image type="content" source="media/private-link/private-link-vnet-link-dicom.png" alt-text="Screenshot showing image of Private Link virtual network Link DICOM.":::
8382

8483
## Test private endpoint
8584

8685
To verify that your service isn’t receiving public traffic after disabling public network access, select the `/metadata` endpoint for your FHIR service, or the /health/check endpoint of the DICOM service, and you'll receive the message 403 Forbidden.
8786

88-
> [!NOTE]
89-
> It can take up to 5 minutes after updating the public network access flag before public traffic is blocked.
87+
It can take up to 5 minutes after updating the public network access flag before public traffic is blocked.
9088

9189
> [!IMPORTANT]
9290
> Every time a new service gets added into the Private Link enabled workspace, wait for the provisioning to complete. Refresh the private endpoint if DNS A records are not getting updated for the newly added service(s) in the workspace. If DNS A records are not updated in your private DNS zone, requests to a newly added service(s) will not go over Private Link.
@@ -97,11 +95,4 @@ To ensure your Private Endpoint can send traffic to your server:
9795
2. Remote Desktop Protocols (RDP) into the VM.
9896
3. Access your FHIR server’s `/metadata` endpoint from the VM. You should receive the capability statement as a response.
9997

100-
## Next steps
101-
102-
In this article, you've learned how to configure Private Link for Azure Health Data Services. Private Link is configured at the workspace level and all subresources, such as FHIR services and DICOM services with the workspace, are linked to the Private Link and the virtual network. For more information about Azure Health Data Services, see
103-
104-
>[!div class="nextstepaction"]
105-
>[Overview of Azure Health Data Services](healthcare-apis-overview.md)
106-
107-
FHIR® is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.
98+
[!INCLUDE [FHIR and DICOM trademark statement](./includes/healthcare-apis-fhir-dicom-trademark.md)]
Lines changed: 53 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,53 @@
1+
---
2+
title: Manage network access security in Azure Health Data Services
3+
description: Learn about network access security and outbound connections for the FHIR, DICOM, and MedTech services in Azure Health Data Services.
4+
services: healthcare-apis
5+
author: timritzer
6+
ms.service: healthcare-apis
7+
ms.subservice: fhir
8+
ms.topic: conceptual
9+
ms.date: 05/06/2024
10+
ms.author: jasteppe
11+
---
12+
13+
# Manage network access security in Azure Health Data Services
14+
15+
Azure Health Data Services provides multiple options for securing network access to its features and for managing outbound connections made by the FHIR®, DICOM®, or MedTech services.
16+
17+
## Private Link
18+
19+
[Private Link](../private-link/index.yml) is a network isolation technique that allows access to Azure services, including Azure Health Data Services. Private Link allows data to flow over private Microsoft networks instead of the public internet. By using Private Link, you can allow access only to specified virtual networks, and lock down access to provisioned services. For more information, see [Configure Private Link](healthcare-apis-configure-private-link.md).
20+
21+
## Microsoft Trusted Services
22+
23+
Although most interactions with Azure Health Data Services are inbound requests, there are a few features of the services that need to make outbound connections to other resources. To control access from outbound connections, we recommend that you use the [Microsoft Trusted Service](../storage/common/storage-network-security.md) connections in the network settings of the target resource. Each outbound feature can have slightly different setup steps and intended target resources.
24+
25+
Here's a list of features that can make outbound connections from Azure Health Data Services:
26+
27+
### FHIR service
28+
29+
- **Export**: [Allow FHIR service export as a Microsoft Trusted Service](fhir/configure-export-data.md)
30+
- **Import**: [Allow FHIR service import as a Microsoft Trusted Service](fhir/configure-import-data.md)
31+
- **Convert**: [Allow trusted services access to Azure Container Registry](../container-registry/allow-access-trusted-services.md)
32+
- **Events**: [Allow trusted services access to Azure Event Hubs](../event-hubs/event-hubs-service-endpoints.md)
33+
- **Customer-managed keys**: [Allow trusted services access to Azure Key Vault](../key-vault/general/overview-vnet-service-endpoints.md)
34+
35+
### DICOM service
36+
37+
- **Import, export, and analytical support**: [Allow trusted services access to Azure Storage accounts](../storage/common/storage-network-security.md)
38+
- **Events**: [Allow trusted services access to Azure Event Hubs](../event-hubs/event-hubs-service-endpoints.md)
39+
- **Customer-managed keys**: [Allow trusted services access to Azure Key Vault](../key-vault/general/overview-vnet-service-endpoints.md)
40+
41+
### MedTech service
42+
43+
- **Events**: [Allow trusted services access to Azure Event Hubs](../event-hubs/event-hubs-service-endpoints.md)
44+
45+
## Service tags
46+
47+
[Service tags](../virtual-network/service-tags-overview.md) are sets of IP addresses that correspond to an Azure Service, for example Azure Health Data Services. You can use tags to control access on several Azure networking offerings such as Network Security Groups, Azure Firewall, and more.
48+
49+
Azure Health Data Services offers a [service tag](../virtual-network/service-tags-overview.md) `AzureHealthcareAPIs` that you can use to control access to and from the services. However, there are a few caveats that come with using Service Tags for network isolation, and we don't recommend relying on them. Instead, use the approaches described in this article for more granular controls. Service tags are shared across all users of a service, and all provisioned instances. Tags provide no isolation between customers within Azure Health Data Services, between separate instances of the workspaces, nor between the different service offerings.
50+
51+
If you use service tags, keep in mind that they're a convenient way of keeping track of sets of IP addresses. However, tags aren't a substitute for proper network security measures.
52+
53+
[!INCLUDE [FHIR and DICOM trademark statement](includes/healthcare-apis-fhir-dicom-trademark.md)]

articles/healthcare-apis/toc.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,8 @@
2020
href: ./azure-api-for-fhir/overview.md
2121
- name: Business continuity & disaster recovery
2222
href: business-continuity-disaster-recovery.md
23+
- name: Manage network access security
24+
href: network-access-security.md
2325
- name: Quickstarts
2426
items:
2527
- name: Workspace provisioning

articles/storage/blobs/map-rest-apis-transaction-categories.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -27,8 +27,8 @@ The price of each type appears in the [Azure Blob Storage pricing](https://azure
2727
| Logged operation | REST API | Premium block blob | Standard general purpose v2 | Standard general purpose v1 |
2828
|-----------------------------|-------------------------------------------------------------------------------------------|---------------------------|-----------------------------|-----------------------------|
2929
| AbortCopyBlob | [Abort Copy Blob](/rest/api/storageservices/abort-copy-blob) | Other | Other | Write |
30-
| AppendBlobSeal | [Append Blob Seal](/rest/api/storageservices/append-blob-seal) | Write | Write | Write |
31-
| AppendBlockFromURL | [Append Block from URL](/rest/api/storageservices/append-block-from-url) | Write | Write | Write |
30+
| SealBlob | [Append Blob Seal](/rest/api/storageservices/append-blob-seal) | Write | Write | Write |
31+
| AppendBlockThroughCopy | [Append Block from URL](/rest/api/storageservices/append-block-from-url) | Write | Write | Write |
3232
| AppendBlock | [Append Block](/rest/api/storageservices/append-block) | Write | Write | Write |
3333
| CopyBlobFromURL | [Copy Blob from URL](/rest/api/storageservices/copy-blob-from-url) | Write | Write | Write |
3434
| CopyBlob | [Copy Blob](/rest/api/storageservices/copy-blob) | Write<sup>2</sup> | Write<sup>2</sup> | Write<sup>2</sup> |

articles/storage/file-sync/file-sync-choose-cloud-tiering-policies.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -55,6 +55,9 @@ The reason for the absolute minimum is due to the way NTFS stores extremely smal
5555

5656
Generally, when you enable cloud tiering on a server endpoint, you should create one local virtual drive for each individual server endpoint. Isolating the server endpoint makes it easier to understand how cloud tiering works and adjust your policies accordingly. However, Azure File Sync works even if you have multiple server endpoints on the same drive, for details see the [Multiple server endpoints on local volume](file-sync-cloud-tiering-policy.md#multiple-server-endpoints-on-a-local-volume) section. We also recommend that when you first enable cloud tiering, you keep the date policy disabled and volume free space policy at around 10% to 20%. For most file server volumes, 20% volume free space is usually the best option.
5757

58+
> [!NOTE]
59+
> In some migration scenarios, if you provisioned less storage on your Windows Server instance than your source, you can temporarily set volume free space to 99% during the migration to tier files to the cloud, and then set it to a more useful level after the migration is complete.
60+
5861
For simplicity and to have a clear understanding of how items will be tiered, we recommend you primarily adjust your volume free space policy and keep your date policy disabled unless needed. We recommend this because most customers find it valuable to fill the local cache with as many hot files as possible and tier the rest to the cloud. However, the date policy may be beneficial if you want to proactively free up local disk space and you know files in that server endpoint accessed after the number of days specified in your date policy don't need to be kept locally. Setting the date policy frees up valuable local disk capacity for other endpoints on the same volume to cache more of their files.
5962

6063
After setting your policies, monitor egress and adjust both policies accordingly. We recommend looking at the **cloud tiering recall size** and **cloud tiering recall size by application** metrics in Azure Monitor. We also recommend monitoring the cache hit rate for the server endpoint to determine the percentage of opened files that are already in the local cache. To learn how to monitor egress, see [Monitor cloud tiering](file-sync-monitor-cloud-tiering.md).

0 commit comments

Comments
 (0)